Re: Way forward with BIND 8

From: Doug Barton <DougB_at_FreeBSD.org>
Date: Fri, 6 Jun 2003 17:31:40 -0700 (PDT)
On Fri, 6 Jun 2003, Paul Robinson wrote:

> On Fri, Jun 06, 2003 at 03:01:02AM -0700, Doug Barton wrote:
>
> > FreeBSD development model requires that what we import in -current, for
> > the most part, be what we plan to eventually MFC. That factor alone
> > eliminates the possibility of importing BIND 9 at this time.
>
> Sorry to wade in here -

No need to apologize, I asked for feedback.

> let me just ask for clarification on something. Are you stating as the
> BIND maintainer around these parts that FreeBSD will never have BIND 9?

No, that's not what I'm saying at all. Someone else already pointed out
that I said "at this time" above. I plan to look at this issue again for
6-current, but right now, it's not a suitable choice, in my opinion.

> > Correct, however historically the project has chosen what it wants to be
> > "adventurous" about. Using the "tried and true" versions of things in
> > src/contrib gives us more flexibility to be "adventurous" in the parts of
> > the tree that are generated by the project.
>
> ISC claim BIND 9 to be the current release.

Goody for ISC. :) Seriously though, I understand what the ISC web page
says quite well. I also meet with Paul Vixie and folks from Nominum on a
very regular basis. However, regardless of whatever purposes they may have
for stating that 9.2.2 is "the current release," from a technology
standpoint it's still not suitable for us to import, at this time.

> 9.2.2 was released on March 3rd.  I've been running it on one box here
> since March 5th. I have no issues. It is stable.

Please add, "in my environment" to each of the statements above. I use
bind 9 too, and for certain things, it's great. I just don't think it's
suitable for a general purpose replacement yet.

> It *will* act as a drop-in replacement for BIND 8 if you wish,

This is not accurate. There are some things that named in bind 8 can do
that named in bind 9 won't (and won't ever). There is also the fact that
output from dig and host are different, which can cause problems with
scripts.

For these reasons alone, we can't even consider MFC'ing bind 9 to
RELENG_4, it's too big of a POLA violation.

> except it's more secure,

This has yet to be proven. As I state in point 1 on my web page, "BIND 8
has many orders of magnitude more hours of use in production, and hours of
blackhats poking at it." So far, cracking BIND 9 has been a low-interest
occupation since so many more sites are running old, vulnerable versions
of BIND 8.

> development is continuing on it,

Development is continuing on BIND 8 as well, thus the 8.4.x branch, which
includes IPv6 transport.

> and in my experience, it performs better.

Well at least you qualfied your statement this time. :)

> I'm sure you have your reasons, I'm just not sure what they are.

Ummm... then you haven't really been paying attention, since I posted the
http://people.freebsd.org/~dougb/whybind8.html URL in my original post,
and gave more details in my response to Brad. Hopefully this will further
clarify things though.

Doug

-- 

    This .signature sanitized for your protection
Received on Fri Jun 06 2003 - 15:31:43 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:10 UTC